Sign of "Win32:Trojan-gen {Other}"

[pete319]

Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\All Users\Start Menu\Programs\Nero 7 Ultra Edition\Tools\License Repair.exe" file.  

I received this after latest update when i did a standard scan update 090812-0
I have sent it to  alwil through the chest for it to be analyzed.
I also tried to send it to Jotti's malware and Virus total but i get file is empty (0 bytes)
I also run scans with malwarebytes antimalware  and superantimalware, which all showed clean.

I think it may be a false positive, only guessing though.

[DavidR]

It could be what the file does it may be considered some sort of key generator, which may be considered a trojan.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic, virustotal results, etc. might help and false positivein the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

[pete319]

Hi DavidR
Thanks for you reply

I have sent the file via the chest earlier.

I tried to upload it to virustotal , but i got this file is empty (0 bytes). Waited 10 minutes and nothing happened. That was before i placed it in the chest. So i will leave it there for a couple of days.

This may sound a very silly question,but i assume if i want to test the file for any virus alert i will have to restore the file back to the original place From the Avast vault. 

[DavidR]

That (0 byte size) is most likely because avast is blocking the upload, see below for what I normally suggest to be able to upload to VT.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If you want to test the file, you scan it from within the chest.

[pete319]

Hi DavidR
It worked like a charm
 http://www.virustotal.com/analisis/28ad4b4c44e8d55589af4250d2225366ac6a5b49cc3df9a4a244b729e94ef6e5-1250275494

Does seem like that it is a virus and not a false alarm.

Nero itself is being a pain if i boot the computer it will want to install and for no reason even after been using the comp for a while, it will just tries to install itself.
Have to use task manager to end task.

Below is what appears in event viewer.
Product: Nero 7 Ultra Edition -- Error 1706. No valid source could be found for product Nero 7 Ultra Edition.  Windows Installer cannot continue.

For more information, see Help and Support Center at
If i had a disk i would just uninstall and reinstall, maybe i will have to just uninstall Nero to!!!  (EDIT) remove virus and install a free CD?DVD burning software

You help very much appreciated

[DavidR]

You're welcome.

However, if you look at the various malware names as I said in my first reply they too appear to be detecting based on it being some sort of key generator; others are also using generic or heuristic signatures which are more prone to FP.

So if this came from Nero and or a legit source and the key repair file is a legit function then the jury is still out and worth sending avast for further analysis.

Another analysis site is, http://anubis.iseclab.org/?action=home this is a detailed analysis of what the file actually does, post the URL of the results.

[pete319]

Hi
I have ran the analysis and below is the result
http://anubis.iseclab.org/?action=result&task_id=133cc35af72cfd854750e32750feb41ff&format=txt

Pete

[DavidR]

Well the activity seems strange if it is a legit tool, but you didn't answer the question about the source and this is I feel the crucial element.

Summary:
    - Performs Registry Activities:
        The executable reads and modifies registry values. It also creates and
        monitors registry keys.

Whilst it may be necessary to repair a (singular) license key but modifying registry values and creating and monitors registry keys to me seems a bit over the top, but that could be anti-piracy. Which again brings me back to the question on legitimate source ?

[pete319]

Hi
Yes as far as i know it is legit as i had a new motherboard, cpu installed into the computer at a computer shop and they installed nero 7 on the comp after they reinstalled windows etc.
This was in April 2007.
I have not added anything to nero and just the a few days before i used nero and had no warnings about any viruses.
I only received this warning when i did a standard scan on Aug 13 up to then all scan was clean.

Does this help.

[DavidR]

I would treat it as suspect then as you can't confirm the origin, normally you get Nero on an OEM CD when you buy an Optical drive, so that could have been the source, but not certainty.

Lets see what avast make of it in analysis.

[pete319]

I would treat it as suspect then as you can't confirm the origin, normally you get Nero on an OEM CD when you buy an Optical drive, so that could have been the source, but not certainty.

Lets see what avast make of it in analysis.

I have sent the sample twice, so hopefully Alwil has received it.
I have now uninstalled Nero 7 as when i rebooted today the computer took a long time booting, as nero wanted to start, comp kept locking up and i had to continue ending task.
I also got rid of my restore points rebooted, scanned with Avast all clear.
Computer now booting with out any problems.

I will either buy a burning program or download a free one, as i really only need basics.

Pete

[YoKenny]

I will either buy a burning program or download a free one, as i really only need basics.

Pete

I like CDBurnerXP:
http://cdburnerxp.se

[.: L' arc :.]

 You may also try this one:

 Burn Aware

[cinchez]

Eh?

I thought all PCs have their burning capabilities made from the factory^^

Mine does a good job of burning pics, musics, vids and even DVDs^^

Anyway, u could try those free programs posted by YoKenny and Larc^^

-AnimeLover^^

[pete319]

I like CDBurnerXP:
http://cdburnerxp.se

I check it out thanks YoKenny

You may also try this one:

 Burn Aware

Another one for me to check out Thanks .: L' arc :.

Eh?

I thought all PCs have their burning capabilities made from the factory^^

Mine does a good job of burning pics, musics, vids and even DVDs^^

Anyway, u could try those free programs posted by YoKenny and Larc^^

-AnimeLover^^

Hi +AdDicT+
you are right there is one built in, which i have used occasionally, but feel that there is a lot more which allows you to even do the basics things easier. Boils down to individual choice.